b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                Modernized e-File Will Enhance Processing of\n                 Electronically Filed Individual Tax Returns,\n                   but System Development and Security\n                             Need Improvement\n\n\n\n                                           May 26, 2010\n\n                              Reference Number: 2010-20-041\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                    HIGHLIGHTS\n\n\nMODERNIZED E-FILE WILL ENHANCE                         The System Integration Test Results indicated\nPROCESSING OF ELECTRONICALLY                           all application requirements were tested and\nFILED INDIVIDUAL TAX RETURNS, BUT                      passed. However, supporting test documents\nSYSTEM DEVELOPMENT AND                                 showed that many of the requirements were not\n                                                       tested and many more failed the tests and no\nSECURITY NEED IMPROVEMENT\n                                                       indication was provided to show the defects\n                                                       were corrected. Additionally, reviewing prior\nHighlights                                             release development and deployment\n                                                       experiences \xe2\x80\x93 Lessons Learned Reports \xe2\x80\x93\n                                                       would improve project management.\nFinal Report issued on May 26, 2010\n                                                       Further, controls were not adequate to manage\nHighlights of Report Number: 2010-20-041               all of the MeF system security risks, issues, and\nto the Internal Revenue Service Chief                  action items. Information provided by the IRS\nTechnology Officer.                                    in December 2009, showed that 10 of the\n                                                       13 security vulnerabilities were resolved.\nIMPACT ON TAXPAYERS                                    However, the January 2010 Security Test and\nThe Modernized e-File Project\xe2\x80\x99s (MeF) goal is          Evaluation reported that only 2 of the\nto replace the Internal Revenue Service\xe2\x80\x99s (IRS)        13 vulnerabilities were resolved.\ncurrent tax return filing technology with a            WHAT TIGTA RECOMMENDED\nmodernized, Internet-based electronic filing\nplatform. This will allow more individual              TIGTA recommended the Chief Technology\ntaxpayers to take advantage of the benefits of         Officer ensure that project releases are\nelectronic filing, while streamlining the IRS\xe2\x80\x99         deployed only after all system requirements are\nfiling processes and reducing the costs                tested and met and that test results are verified\nassociated with paper tax returns. The IRS\xe2\x80\x99            to ensure their completeness and accuracy.\nmanagement of the Project\xe2\x80\x99s risks,                     Further, guidance should be modified to require\nrequirements, and security can be improved to          consideration of Lessons Learned Reports\nensure the capabilities expected and approved          earlier in the project development process.\nto be deployed are appropriately implemented.\n                                                       To resolve all MeF system security issues, the\nWHY TIGTA DID THE AUDIT                                Cybersecurity organization must complete\n                                                       implementation of the process to ensure that\nThis review was part of our Fiscal Year 2010           system owners enter and track all system\nAnnual Audit Plan and addresses the major              security weaknesses in IRS control systems.\nmanagement challenge of Modernization of the\nIRS. The overall objective of this review was to       In its response to the report, the IRS stated it\ndetermine whether the MeF Project Release 6.1          plans to update project development guidance\ndevelopment activities provided the capability to      and that it completed the process to control\nelectronically receive, process, and secure U.S.       system security weaknesses as of\nIndividual Income Tax Returns (Form 1040),             March 25, 2010. The IRS disagreed with the\ndelivering the intended benefits to the IRS and        recommendation about release deployment\ntaxpayers.                                             only after testing showed requirements were\n                                                       met, citing milestone readiness reviews and the\nWHAT TIGTA FOUND                                       Executive Steering Committee as controls.\n                                                       With the significant number of failed tests and\nOn February 17, 2010, the IRS deployed MeF\n                                                       the resulting problems in rejected individual\nRelease 6.1 and began processing\n                                                       income tax returns filed, TIGTA questions\nelectronically filed individual income tax forms.\n                                                       whether the Executive Steering Committee had\nDuring the first 3 weeks of operation, the MeF\n                                                       sufficient and timely information to make an\nsystem rejected 23 percent of the individual\n                                                       informed risk-based decision for deploying\nincome tax returns filed.\n                                                       MeF Release 6.1.\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                    WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                May 26, 2010\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                    (for) Michael R. Phillips\n                                Deputy Inspector General for Audit\n\n SUBJECT:                        Final Audit Report \xe2\x80\x93 Modernized e-File Will Enhance Processing of\n                                 Electronically Filed Individual Tax Returns, but System Development\n                                 and Security Need Improvement (Audit # 200920023)\n\n This report presents the results of our review of the Modernized e-File Project Release 1 6.1\n development activities. The overall objective of this review was to determine whether the\n Modernized e-File Project Release 6.1 development activities will provide the capability to\n electronically receive, process, and secure U.S. Individual Income Tax Returns (Form 1040),\n delivering the intended benefits to the Internal Revenue Service and taxpayers. This review was\n part of our Fiscal Year 2010 Annual Audit Plan and addresses the major management challenge\n of Modernization of the Internal Revenue Service.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix VII.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services), at\n (202) 622-5894.\n\n\n\n\n 1\n     See Appendix VI for a glossary of terms.\n\x0c                                  Modernized e-File Will Enhance Processing of\n                                 Electronically Filed Individual Tax Returns, but\n                              System Development and Security Need Improvement\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Modernized e-File Project Adds New Electronic Filing Capabilities\n          and Improves Existing Capabilities ..............................................................Page 3\n          The Modernized e-File Project Team Has Not Completely Addressed\n          Previously Reported Requirements Management and Processing Issues.....Page 4\n                    Recommendation 1:........................................................Page 6\n\n          The Modernized e-File Project Team Generally Followed Established\n          Systems Development Processes, but Can Improve Its Management of\n          Requirements and Risks................................................................................Page 7\n                    Recommendations 2 and 3: ..............................................Page 11\n\n          Modernized e-File Security Issues Were Not Adequately Controlled\n          or Resolved ...................................................................................................Page 12\n                    Recommendation 4:........................................................Page 17\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 18\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 22\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 23\n          Appendix IV \xe2\x80\x93 Enterprise Life Cycle Overview ..........................................Page 24\n          Appendix V \xe2\x80\x93 Status of Resolution for Modernized e-File System\n          Security Vulnerabilities and Security Findings ............................................Page 26\n          Appendix VI \xe2\x80\x93 Glossary of Terms................................................................Page 31\n          Appendix VII \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report.....................Page 34\n\x0c            Modernized e-File Will Enhance Processing of\n           Electronically Filed Individual Tax Returns, but\n        System Development and Security Need Improvement\n\n\n\n\n                   Abbreviations\n\nIRS          Internal Revenue Service\nMeF          Modernized e-File\nMITS         Modernization and Information Technology Services\nTIGTA        Treasury Inspector General for Tax Administration\n\x0c                                Modernized e-File Will Enhance Processing of\n                               Electronically Filed Individual Tax Returns, but\n                            System Development and Security Need Improvement\n\n\n\n\n                                               Background\n\nThe Modernized e-File (MeF) system is a replacement            The MeF system supports and\nof the current Internal Revenue Service (IRS) tax            facilitates the IRS\xe2\x80\x99 commitment to\nreturn filing technology with a modernized,                  achieve the IRS Restructuring and\nInternet-based electronic filing platform. This system           Reform Act of 1998 goal of\nstreamlines tax return filing processes and reduces the      receiving at least 80 percent of all\n                                                               tax returns in electronic form.\ncosts associated with paper tax returns.\nIn February 2004, the IRS deployed the initial\nMeF system release. 1 This release provided Internet-based filing of the U.S. Corporation Income\nTax Return (Form 1120), the U.S. Income Tax Return for an S Corporation (Form 1120S), and\nthe Return of Organization Exempt From Income Tax (Form 990). The MeF Project also\ndeveloped the Federal/State Single Point Filing System platform and the Federal/State\ncomponents for Forms 1120 and 990, permitting tax return transmitters to submit multiple\nFederal and State tax return types within one electronic transmission.\nSubsequent releases added the U.S. Return of Partnership Income (Form 1065), U.S. Return of\nIncome for Electing Large Partnerships (and Form 1065-B), excise tax forms associated with the\nExcise Tax e-File and Compliance project, U.S. Income Tax Return of a Foreign Corporation\n(Form 1120-F), and the Electronic Notice (e-Postcard) for Tax-Exempt Organizations Not\nRequired to File Form 990 or 990-EZ (Form 990-N).\nMeF Release 6.1 was deployed in February 2010 and includes the U.S. Individual Income Tax\nReturn (Form 1040), Application for Automatic Extension of Time To File U.S. Individual\nIncome Tax Return (Form 4868), and 21 forms and schedules related to Form 1040 for Tax\nYear 2009. Future releases will include hardware installation for full Form 1040\nimplementation, full disaster recovery capability, and the remaining Form 1040 related forms\n(approximately 120 forms).\nFor all forms submitted, electronic filing transmitters use IRS approved software to allow them\nto electronically file tax returns. Returns received electronically are validated for format and\ncontent, and an acknowledgement is returned to the transmitter indicating whether the return was\naccepted or rejected. Accepted returns are stored in the Modernized Tax Return Database, the\nlegal repository for original electronically filed tax returns received by the IRS through the\nMeF system, and forwarded to IRS downstream systems for further tax processing.\nThe MeF system is 1 of more than 200 computer systems maintained by the IRS to administer\nthe nation\xe2\x80\x99s tax system. Each tax return contains personally identifiable information, such as the\n\n1\n    See Appendix VI for a glossary of terms.\n                                                                                            Page 1\n\x0c                             Modernized e-File Will Enhance Processing of\n                            Electronically Filed Individual Tax Returns, but\n                         System Development and Security Need Improvement\n\n\n\nfiler\xe2\x80\x99s name, address, Social Security Number, and other personal information. Because of the\nvolume and type of data it maintains, the IRS is an attractive target for criminals with the intent\nto commit identity theft by stealing and using someone\xe2\x80\x99s personal information for their own\nfinancial gain.\nLike all Federal Government agencies, the IRS should        The IRS stores sensitive financial and\nprotect its computer systems by implementing                  personal information for more than\nappropriate security controls to ensure the                 130  million individual taxpayers who\n                                                           file annual Federal income tax returns.\nconfidentiality, integrity, and availability of sensitive\ndata, as recommended in the National Institute of\nStandards and Technology Special Publication 800-53. 2 These security controls include system\naccess, audit logging, and contingency planning. In addition, the IRS is specifically required by\nFederal law 3 to keep taxpayer data confidential and prevent unauthorized disclosure or browsing\nof taxpayer records. These requirements apply to all IRS computer systems that maintain\nsensitive data.\nThis review was performed at the Modernization and Information Technology Services (MITS)\norganization facilities in New Carrollton, Maryland, during the period August 2009 through\nFebruary 2010. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objective. We believe the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objective. This review was\nincluded in the Treasury Inspector General for Tax Administration (TIGTA) Fiscal Year 2010\nAnnual Audit Plan and addresses the major management challenge of Modernization of the IRS.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n\n\n\n2\n Recommended Security Controls for Federal Information Systems, Revision 2, dated December 2007.\n3\n Internal Revenue Code Section 6103 (26 U.S.C. Section 6103) and the Taxpayer Browsing Protection Act of 1997\n(26 U.S.C.A. Sections 7213, 7213A, 7431 (West 2006).\n                                                                                                      Page 2\n\x0c                          Modernized e-File Will Enhance Processing of\n                         Electronically Filed Individual Tax Returns, but\n                      System Development and Security Need Improvement\n\n\n\n\n                                Results of Review\n\nThe Modernized e-File Project Adds New Electronic Filing Capabilities\nand Improves Existing Capabilities\nThe IRS deployed Release 6.1 on February 17, 2010, and for the first time, began processing\nelectronically filed individual tax forms on the MeF system. MeF Release 6.1 also permits tax\nreturn transmitters to submit multiple Federal and State individual tax returns within one\nelectronic transmission. MeF Release 6.1 provides benefits by improving individual tax return\nfiling and processing efficiency and by being the system that provides tax form information to\nother IRS systems for use by employees.\nThe MeF Release 6.1 development included a plan to effectively manage the expected large\nprocessing volume of individual tax returns and requests for an extension to file. This plan\nincorporates a prudent approach by limiting the volume of forms for processing in Calendar\nYear 2010 so the IRS and tax form transmitters have an opportunity to observe system behavior\nand responses. Based on the system performance in Calendar Year 2010, the MeF system can be\nadjusted to manage the full workload of individual tax returns during Calendar Year 2011.\nThe plan controls the volume of processing by providing participating transmitters a limit to the\nnumber of forms they can submit daily. The daily totals are based on 2009 volumes and\ndiscussions held with the transmitters. Based on agreements with transmitters, the IRS estimates\nMeF Release 6.1 will process the following volumes of individual tax forms during the periods\nspecified:\n   \xe2\x80\xa2   February 17, 2010, through February 28, 2010 \xe2\x80\x93 1.5 million forms.\n   \xe2\x80\xa2   March 1, 2010, through March 31, 2010 \xe2\x80\x93 4.4 million forms.\n   \xe2\x80\xa2   April 1, 2010, through April 15, 2010 \xe2\x80\x93 5 million forms.\nBased on these estimates, MeF Release 6.1 will process during these periods almost 11 million\nof the 15.6 million projected total individual tax forms the MeF system is expected to receive\nelectronically.\n\n\n\n\n                                                                                          Page 3\n\x0c                                Modernized e-File Will Enhance Processing of\n                               Electronically Filed Individual Tax Returns, but\n                            System Development and Security Need Improvement\n\n\n\nThe Modernized e-File Project Team Has Not Completely Addressed\nPreviously Reported Requirements Management and Processing\nIssues\nVerifying Development of Requirements: In a prior TIGTA audit report entitled The\nModernized e-File Project Can Improve Its Management of Requirements, 4 we recommended\nProject Teams follow the Enterprise Life Cycle 5 provisions for managing requirements by\nensuring planned capabilities were developed by tracing release requirements in the System\nRequirements Report to the requirements traceability verification matrices. In addition, we\nrecommended the Project Team document implementation of all requirements throughout the\nproject life cycle in the System Requirements Report. The IRS\xe2\x80\x99 corrective action for MeF\nRequirements Traceability indicated that for Release 6, the MeF Project was working with the\nBusiness Rules and Requirements Management office to implement a full bi-directional\ntraceability model. The IRS reported implementation of the corrective actions was completed\nJanuary 16, 2009.\nTo determine if the MeF Release 6.1 requirements were adequately traced between the high-level\nand low-level requirements, we reviewed the:\n      \xe2\x80\xa2    Business System Requirements Report Final, System Development Phase (Milestone 4b),\n           dated December 3, 2009, which presents all of the requirements for implementation in\n           Release 6.1.\n      \xe2\x80\xa2    System Integration and Test Plan, Appendix A \xe2\x80\x93 Integration, Test, and Deployment\n           Requirements Traceability Verification Matrix, dated November 3, 2009, which presents\n           the bi-directional traceability between the release requirements and the related test cases.\nWe selected a sample of customer and system requirements to verify the adequacy of the\nbi-directional traceability for the MeF Release 6.1 requirements. The project staff performed the\nbi-directional requirements tracing between the Business System Requirements Report Final and\nthe System Integration and Test Plan as required by the Enterprise Life Cycle.\nThe System Integration and Test End of Test Completion Report documents actual testing results\nand identifies applicable environmental, test approach, test design, test planning, and test\nexecution variances from the original Test Plan. The Requirements Traceability Verification\nMatrix delivered in the original Test Plan must be updated to document the actual results of test\nexecution. On March 5, 2010, after we had held our closing conference with the IRS, the Project\nTeam provided the System Integration and Test End of Test Completion Report, dated\nJanuary 22, 2010, which reported that all MeF Release 6.1 capabilities passed testing.\nSubsequently, on March 8, 2010, the Project Team provided Appendix A, which included two\n\n4\n    Reference Number 2007-20-099, dated July 9, 2007.\n5\n    See Appendix IV for an overview of the Enterprise Life Cycle.\n                                                                                                 Page 4\n\x0c                           Modernized e-File Will Enhance Processing of\n                          Electronically Filed Individual Tax Returns, but\n                       System Development and Security Need Improvement\n\n\n\nmatrices \xe2\x80\x93 the Test, Assurance, and Documentation Requirements Traceability Verification\nMatrix and the Integration, Test, and Deployment Requirements Traceability Verification\nMatrix. The test execution results presented for the Test, Assurance, and Documentation\nRequirements Traceability Verification Matrix reported failed tests and defect reports for the\nMeF Release 6.1. These failed test results were not accurately summarized in the final report.\nAdditionally, the Integration, Test, and Deployment Requirements Traceability Verification\nMatrix did not present any test execution results. The following table presents the tests results\nreported in the System Integration and Test End of Test Completion Report summary and in each\nof the traceability verification matrix sections.\n                          Table 1: MeF Release 6.1 Testing Results\n\n                                                                                      Number of\n         Section of System Integration and Test                   Number of         Test Cases With\n             End of Test Completion Report                        Failed Tests      Defect Reports\n   Report Summary                                                       0                     8\n   Appendix A \xe2\x80\x93 Integration, Test, and Deployment                  No Results           No Results\n   Requirements Traceability Verification Matrix                    Provided             Provided\n   Appendix A \xe2\x80\x93 Test, Assurance, and Documentation\n                                                                        34                  120\n   Requirements Traceability Verification Matrix\n     Source: System Integration and Test End of Test Completion Report, dated January 22, 2010.\n\nThe Test, Assurance, and Documentation Requirements Traceability Verification Matrix also\npresented the following results about uncompleted tests: 29 blocked; 37 not run; 4 in progress;\nand 17 candidates for waiver. None of these results were included in the report body summary,\nand when asked about these conditions, the IRS did not provide an explanation for the conflicts\nbetween the final report and the supporting documentation.\nAlthough the Project Team traced requirements between the Business System Requirements\nReport Final and the System Integration and Test Plan, the System Integration and Test End of\nTest Completion Report shows the test results were not traced to the requirements, and the\napplication did not execute all of the requirements as expected. The lack of consistent\ninformation regarding the effective execution of application requirements could impact the\nability of the MeF system to perform the expected capabilities. In fact, during the first 3 weeks\nof operation, the MeF system rejected 29,697 (23 percent) of the 127,105 individual income tax\nreturns filed.\nWe did not perform analyses to specifically determine whether the rejected individual income\ntax returns were directly related to the failed tests and identified defects. However, the TIGTA is\ncurrently conducting another audit to determine whether individual income tax returns\ntransmitted through the MeF system are processed timely and accurately and in a manner\nconsistent with tax returns processed in the current e-file system.\n                                                                                                     Page 5\n\x0c                               Modernized e-File Will Enhance Processing of\n                              Electronically Filed Individual Tax Returns, but\n                           System Development and Security Need Improvement\n\n\n\nRecommendation\nRecommendation 1: The Chief Technology Officer should ensure that project releases are\ndeployed only after all system requirements are tested and met and that test results are verified to\nensure their completeness and accuracy. If requirements are not met, defect reports should be\nprepared to allow for appropriate resolution by retesting or waiving the requirement prior to\ndeployment.\n          Management\xe2\x80\x99s Response: The IRS disagreed with our recommendation. The IRS\n          cited its milestone readiness review as a process for monitoring a project\xe2\x80\x99s progress\n          toward satisfying exit conditions and for making formal go/no-go recommendations to\n          the Executive Steering Committee. The Executive Steering Committee process provides\n          the forum to discuss risk-based decisions prior to deployment of systems built and\n          products delivered.\n          Office of Audit Comment: We acknowledge the controls the milestone readiness\n          review and the Executive Steering Committee provide, and understand the role testing\n          plays to ensure systems perform their intended functions accurately and reliably.\n          However, with the significant number of failed tests reported and the subsequent\n          problems with rejected individual income tax returns filed, we question whether the\n          Executive Steering Committee had sufficient and timely information to make an\n          informed risk-based decision for deploying MeF Release 6.1. As such, we continue to\n          believe our recommendation to ensure that all system requirements are tested and met\n          and results verified prior to deployment is valid and should be considered by the IRS.\nProcessing Valid Income Tax Returns for S Corporations \xe2\x80\x93 Form 1120S: In a prior TIGTA\nreport entitled Improvements to the Modernized e-File System Will Help Provide Intended\nBenefits to the Internal Revenue Service and Taxpayers, 6 we reported that as a result of MeF\nRelease 4 processing the Modernized Tax Return Database and the Business Master File did not\nalways agree on the taxpayer\xe2\x80\x99s entity information. Filing discrepancies occurred with the\ntaxpayer\xe2\x80\x99s qualification to file a Form 1120, Form 1120S, or Form 1065 or with the tax periods\nreported by the taxpayer. Procedures were in place in the Submission Processing function to\nperfect tax return information sent from the Modernized Tax Return Database to the Business\nMaster File. These procedures require correspondence with the taxpayer to resolve issues around\nthe propriety of the tax return type necessary for filing.\nHowever, we found that available front-end tax return validation controls are not being used to\nprevent inaccurate tax returns from being accepted by the MeF system. These controls notify\ntaxpayers that they did not meet the qualifications for the entity or tax period used in filing and\nwould need to file a different form. These controls prevent unnecessary tax return processing,\n\n\n6\n    Reference Number 2008-20-122, dated June 18, 2008.\n                                                                                              Page 6\n\x0c                          Modernized e-File Will Enhance Processing of\n                         Electronically Filed Individual Tax Returns, but\n                      System Development and Security Need Improvement\n\n\n\nerror resolution activity by the Submission Processing function, and correspondence with\ntaxpayers.\nWe recommended that the Director, Submission Processing, and the Director, Electronic Tax\nAdministration, perfect the validation controls to verify that taxpayers file the correct tax form\nbased on their established filing election. These controls\nwill prevent the MeF system from accepting the incorrect\n                                                                   Implementing controls to ensure\ntax forms filed by taxpayers and, therefore, reduce the             acceptance of valid tax returns\nnumber of tax returns requiring Submission Processing                   prevents unnecessary\nfunction staff involvement. The IRS agreed with the                processing and correspondence\nrecommendation for Form 1065 and Form 1120 and                       by the IRS and unnecessary\nimplemented the validation controls. The IRS proposed not          correspondence    with taxpayers.\nimplementing the validation controls for Form 1120S until\nprocessing and system limitations could be overcome.\nWe followed up to determine the status of the corrective action for implementing the\nForm 1120S validation controls. The Wage and Investment Division\xe2\x80\x99s Submission Processing\nfunction informed us that the processing and system limitations for implementing the\nForm 1120S validation controls still exist. However, the Submission Processing function is\nplanning to implement a solution to reduce the number of Form 1120S tax returns that are\naccepted and subsequently require further communication with the taxpayer regarding propriety\nof their current filing election.\n\nThe Modernized e-File Project Team Generally Followed Established\nSystems Development Processes, but Can Improve Its Management\nof Requirements and Risks\nOur assessment of MeF Release 6.1 project management controls, that included project work\nbreakdown structure schedules, task orders and modifications, and meeting minutes, found that\nadequate documentation was developed and maintained to meet Enterprise Life Cycle\nrequirements. Additionally, the MeF Project Team adequately controlled and monitored funding\nfor MeF Releases 6.1, 6.2, and 7. However, improvements to guidance in managing\nrequirements and risks could have enhanced the project development schedule.\n\nThe MeF Project Team generally followed established systems development\nprocesses\nThe MeF Project Team adequately implemented the following management controls for\ndeveloping Release 6.1.\nConfiguration Management: The configuration management plan addresses key items required\nby the Enterprise Life Cycle. The configuration management plan requires a repository for\n\n\n                                                                                             Page 7\n\x0c                          Modernized e-File Will Enhance Processing of\n                         Electronically Filed Individual Tax Returns, but\n                      System Development and Security Need Improvement\n\n\n\nproject documentation and assigns responsibility for its maintenance and establishes a process\nfor initiating and approving change requests.\nQuality Management: The quality management plan adequately describes activities, roles, and\nresponsibilities for the MeF quality assurance program. MeF Project quality examinations,\ncustomer technical reviews, and monthly contractor reports did not identify any issues or\ninconsistencies with planned quality assurance activities in the quality management plan.\nTransition Management: MeF Release 6.1 development activities included end-user training\nplans, manuals, and organizational changes to provide adequate transition from system\ndevelopment to system operation. Reviews show that end-user manuals and related contact\ninformation was developed, and end-user training is on schedule.\nProject Funding Management: The MeF Project Team properly controlled and monitored\nfunding for MeF Releases 6.1, 6.2, and 7. Funding and scope changes were properly\ndocumented and approved for restructuring the MeF Project release schedule, as evidenced by\ndocumentation and meeting minutes from the IRS\xe2\x80\x99 MITS organization Enterprise Governance\ncommittee and Submission Processing Executive Steering Committee, the Department of the\nTreasury, and the Office of Management and Budget.\nFunding realignments were properly controlled and approved. The Project required realignment\nof $34 million from Release 7 to 6.1 to support unplanned and required needs including disaster\nrecovery preparation and testing, the integration of processing and access with other applications\nand external users, and expanded hardware needs. This realignment was properly documented,\ncontrolled, and approved through the Submission Processing Executive Steering Committee.\nThe MeF Project funding also was the subject of several monthly MITS organization internal\ncontrols. These controls include the:\n   \xe2\x80\xa2   Information Technology Project Control Review \xe2\x80\x93 assesses project progress and status in\n       terms of management of cost, schedule, and technical complexity.\n   \xe2\x80\xa2   Project Health Assessments \xe2\x80\x93 monitors risks associated with project management\n       performance.\n   \xe2\x80\xa2   Performance Measures Report \xe2\x80\x93 reports performance measures for both schedule and cost\n       estimates at the project release and milestone level.\n\nThe MeF Project Team could have more effectively managed the risks associated\nwith system capacity requirements\nThe MeF Project Team, in conjunction with the engineering organization, identified the need for\nappropriate infrastructure requirements early in Calendar Year 2008. As a result, a MeF system\nbenchmark test was conducted in May 2008. The benchmark test results primarily included\n\n\n                                                                                           Page 8\n\x0c                          Modernized e-File Will Enhance Processing of\n                         Electronically Filed Individual Tax Returns, but\n                      System Development and Security Need Improvement\n\n\n\ndevelopment of performance measures needed to support the MeF Release 6 hardware\narchitecture.\nHowever, the Business Rules and Requirements Management office granted the MeF Project a\nwaiver to exit the detailed design phase of the project development cycle in December 2008\nwithout the final or new infrastructure requirements. The Business Rules and Requirements\nManagement office granted the waiver because the MeF Project Team gave assurances they were\nworking closely with the Infrastructure Architecture and Engineering office and were confident\nthat any infrastructure changes would not negatively impact the project. The conditional\napproval to exit the detailed design phase was contingent upon the Business Rules and\nRequirements Management office receiving all final requirements by January 25, 2009. The\ndetailed design phase exit was approved on December 4, 2008, without the revised infrastructure\nrequirements.\nIn April 2009, the MeF Project Team formally identified capacity testing as a risk to the project\nschedule. This risk concerned the team\xe2\x80\x99s absence of experience in MeF system capacity testing\nfor individual tax returns. Subsequently, the planned June 2009 system capacity testing was\ndelayed and not completed until the end of September 2009. The capacity testing delay meant\nthe final infrastructure requirements were not known until the end of September 2009.\nThe capacity testing results showed the infrastructure needed additional infrastructure hardware\n(eight Internet gateways) to securely manage the volume of electronic tax form transmissions for\nprocessing. The purchase and installation of these gateways is estimated to occur in\nMarch 2010 to handle the peak period of individual tax return filing in April. The cost for the\ninfrastructure additions includes $556,800 in hardware costs, $355,453 for installation and\nconfiguration costs, and $114,055 in related service costs for maintaining the gateways through\nJanuary 2010. The additional infrastructure cost is $1,026,308 of the total $83.6 million\nestimated for the development and deployment of MeF Release 6.1.\nThe MITS organization\xe2\x80\x99s Risk Identification Procedure provides that special emphasis should be\nplaced on risk identification during the planning stages of a project. In addition, the Risk\nIdentification Procedure provides a checklist of risk categories and specific questions to consider\nduring planning, including the following questions which may have helped the MeF Project\nTeam identify capacity testing as a candidate risk:\n   \xe2\x80\xa2   Has enough time been scheduled to design and implement unfamiliar areas?\n   \xe2\x80\xa2   Will the product be operated in an unfamiliar or unproved software environment?\n   \xe2\x80\xa2   Will the product be operated in an unfamiliar or unproved hardware environment?\n   \xe2\x80\xa2   Are all of the technology requirements included in the enterprise architecture?\n   \xe2\x80\xa2   Are there unique requirements that have never been implemented before?\n   \xe2\x80\xa2   Is there customization required for hardware?\n                                                                                            Page 9\n\x0c                               Modernized e-File Will Enhance Processing of\n                              Electronically Filed Individual Tax Returns, but\n                           System Development and Security Need Improvement\n\n\n\n      \xe2\x80\xa2    Will infrastructure support groups be ready for deployment of products (including\n           hardware, software licenses, and network support)?\nAfter identification of candidate risks, the procedure also includes steps to guide the project to\nestimate the probable impact date of the risks, such as:\n      \xe2\x80\xa2    Reviewing related program/project schedules and related information for impacted areas.\n      \xe2\x80\xa2    As necessary, engaging the risk coordinator and other stakeholders and subject matter\n           experts in determining the probable date of impact.\n      \xe2\x80\xa2    Assessing date impacts of cross project and other external dependencies.\n      \xe2\x80\xa2    Estimating and documenting a probable date when the candidate risk event could begin to\n           negatively impact the program/project or organization entities.\nBy using the Risk Identification criteria previously cited, the issues encountered that delayed\ntesting may have been addressed earlier in the development process. For instance, the\nApplications Development organization explained that capacity testing was delayed because the\nMeF focused capacity testing was not performed in the past and the Project Team was not\nprepared to meet the testing schedule. The complexity of this release and the potential volume of\nelectronic tax form transmissions required a detailed test plan to ensure all necessary testing was\nidentified. The organization also noted that technical issues were encountered with the test\nenvironment setup, components, and configurations, as well as tool license issues and data\npreparation problems. All of these issues required resolution to ensure successful testing.\nThe MeF Project Team may have avoided or reduced the risk associated with timely acquiring\nthe additional infrastructure hardware needed had it applied lessons from prior release\ndevelopment and deployment experiences. In a prior TIGTA audit report entitled The\nModernized e-File Project Can Improve Its Management of Requirements, 7 we reported that the\nMeF system experienced problems in its ability to handle the number of returns filed during the\nMarch 2006 peak tax return filing period, and subsequently the Project Team developed lessons\nlearned to address these problems and to prevent similar occurrences. Lessons learned from\nprior MeF releases that were not applied to validate MeF Release 6.1 included the need to timely\nvalidate performance engineering model assumptions and determine the impact of new forms\nand other processing loads on shared capacity.\nCurrent guidance in the MITS organization Enterprise Life Cycle prescribes the development of\na Lessons Learned Report at each milestone. However, we did not locate any guidance requiring\nthe reference to or use of Lessons Learned Reports from prior phases or releases at the inception\nof new phases or releases of projects. The Phase Kickoff meeting directs an assessment of the\ndetailed requirements, implementation approach (including tailoring plans), schedule, budget,\n\n\n7\n    Reference number 2007-20-099, dated July 9, 2007.\n                                                                                               Page 10\n\x0c                          Modernized e-File Will Enhance Processing of\n                         Electronically Filed Individual Tax Returns, but\n                      System Development and Security Need Improvement\n\n\n\nrisk and/or issues for that phase, and a revisit to the release\nstrategy. However, this meeting does not require a review           The use of Lessons Learned\nof Lessons Learned Reports as one of the items listed among       Reports is intended to improve\nthe documents and other artifacts cited as inputs to the          the efficiency and effectiveness\nProject Initiation and Phase Kickoff Meeting Procedure.            of future projects, releases, or\n                                                                  phases by reducing the number\nThe MeF Project Team identified that the risks in                   of repeat issues and lessons\nimproperly sizing infrastructure hardware to help securely           already learned in the past.\nmanage the volume of electronic tax form transmissions for\nprocessing may result in degrading system performance or\neven the inability to receive or view files for tax processing. The MeF Project Team also\nrecognized the potential need for future expansion of the infrastructure hardware with\nprocurement provisions for at least 16 more Extensible Markup Language gateways, if\nnecessary.\nThe MeF system enhances the filing capabilities for tax preparers and the processing of tax\nreturns for the IRS. These enhanced capabilities are not available if the MeF system is not\noperational. The MeF system is critical to States, which will not receive returns filed for them if\nit is not operational. Compromises of the MeF system\xe2\x80\x99s performance could affect the confidence\ntaxpayers have in the IRS\xe2\x80\x99 ability to securely manage filed tax forms.\n\nRecommendations\nThe Chief Technology Officer should:\nRecommendation 2: Modify the Enterprise Life Cycle guidance to require consideration of\nprior Lessons Learned Reports as part of the Project Initiation and Phase Kickoff Meeting\nProcedure in the early milestone planning stages.\n       Management\xe2\x80\x99s Response: The IRS agreed with our recommendation and will\n       incorporate updates to the Project Initiation and Phase Kickoff Meeting Process\n       Description and Procedure.\nRecommendation 3: Use the Risk Identification Procedure as an input to the Enterprise Life\nCycle\xe2\x80\x99s Project Initiation and Phase Kickoff Meeting Procedure.\n       Management\xe2\x80\x99s Response: The IRS agreed with our recommendation and will\n       incorporate updates to the Project Initiation and Phase Kickoff Meeting Process\n       Description and Procedure.\n\n\n\n\n                                                                                            Page 11\n\x0c                                 Modernized e-File Will Enhance Processing of\n                                Electronically Filed Individual Tax Returns, but\n                             System Development and Security Need Improvement\n\n\n\nModernized e-File Security Issues Were Not Adequately Controlled or\nResolved\nWe assessed the security controls and issues related to the MeF Release 6.1 development. We\nreviewed the IRS MeF Release 6.1 System Security Plan for the inclusion of the security controls\nfrom the National Institute of Standards and Technology Special Publication 800-53,\nfollowed up on the resolution of the 13 MeF Release 4 security vulnerabilities previously\nreported on the MeF system, and monitored the MeF Release 6.1 detailed system design phase\n(Enterprise Life Cycle Milestone 4a) and additional system development phase (Enterprise Life\nCycle Milestone 4b) exit condition security findings identified during the development of\nMeF Release 6.1.\nWhile the IRS included the recommended security controls in the MeF System Security Plan,\ncontrols were not adequate to manage all of the security risks, issues, and action items. Although\ninformation provided by the IRS showed that 10 of the 13 security vulnerabilities were resolved\nby December 2008, the January 2010 Security Test and Evaluation reports that only 2 of the\n13 vulnerabilities were resolved. Further, this Security Test and Evaluation identified two failed\nsecurity controls that were not previously reported as vulnerabilities.\nThe MeF Project Team also reported resolving 12 of 15 security findings it identified during\ndevelopment. The three remaining findings relate to infrastructure, with imminent resolution of\none finding and deferral of another to MeF Release 6.2; the last is considered outside the scope\nof the MeF application. Appendix V provides the details and status of actions to resolve the\nrelated weaknesses of the 13 security vulnerabilities and 15 security findings identified by the\nMITS organization.\n\nThe MeF System Security Plan included all of the recommended security controls\nThe MeF System Security Plan included all 212 of the National Institute of Standards and\nTechnology Special Publication 800-53 (Revision 2) recommended security controls. Revision 3\nto the Special Publication 800-53 was issued in August 2009. After consulting with the\nDepartment of the Treasury\xe2\x80\x99s Chief Information Security Officer, the IRS\xe2\x80\x99 Cybersecurity\norganization decided to implement this guidance with the Federal Information Security\nManagement Act of 2002 8 assessment that will begin in July 2010. Revision 3 includes\n252 recommended security controls for the MeF that will be required for the next MeF release,\nscheduled for January 2011.\n\nThe MeF system successfully completed disaster recovery tests\nDisaster recovery is an organization\xe2\x80\x99s ability to respond to an interruption in services by\nimplementing a plan to restore critical business functions. The MeF system participated in\n\n8\n    Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                                                                                          Page 12\n\x0c                              Modernized e-File Will Enhance Processing of\n                             Electronically Filed Individual Tax Returns, but\n                          System Development and Security Need Improvement\n\n\n\ndisaster recovery testing on October 24, 2009. The tests showed that live transactions were\nsuccessfully processed on the MeF disaster recovery environment and posted and stored to\ninterfaced systems. Examples of the specific test accomplishments included:\n      \xe2\x80\xa2   Successful processing of Internet filing and application-to-application transmissions.\n      \xe2\x80\xa2   Successful tax return requests and displays through the Employee User Portal.\n      \xe2\x80\xa2   Successful recovery of transactions from the disaster recovery site.\n      \xe2\x80\xa2   Successful reverse replication showing query reports from the disaster recovery site and\n          original database site were identical.\n\nThe Cybersecurity organization did not control or resolve all existing\nMeF security vulnerabilities\nSecurity vulnerabilities are weaknesses identified in current operating systems. IRS policy\nspecifies that all computer system weaknesses from any valid source should be entered in the\nPlan of Action and Milestones list. IRS system owners must track the status of the resolution of\nall weaknesses and verify that each weakness is corrected before reporting the item as resolved\non the list.\nThe IRS is required to submit the Plan of Action and Milestones listing system weaknesses to the\nDepartment of the Treasury and the Office of Management and Budget on a quarterly basis. The\nOffice of Management and Budget uses the information to assess the agency\xe2\x80\x99s progress in\nalleviating system weaknesses, monitor the Federal Government\xe2\x80\x99s ability to implement the\nFederal Information Security Management Act of 2002, and make budgetary decisions.\nInaccurate or incomplete Plan of Action and Milestones information affects the Office of\nManagement and Budget\xe2\x80\x99s ability to obtain an accurate status of IRS security weakness\nremediation.\nThere were 13 MeF system security vulnerabilities identified as part of the IRS Cybersecurity\nMeF Release 4 Security Risk Assessment, dated April 23, 2007. These security vulnerabilities\nwere also reported in a prior TIGTA report entitled The Internal Revenue Service Deployed the\nModernized e-File System With Known Security Vulnerabilities. 9 Information provided about\nthe status of the previously reported security vulnerabilities showed that in December 2008, 10\nof the 13 vulnerabilities were resolved.\nWe performed an analysis of the vulnerabilities and found the resolution activity was not always\nadequately controlled or monitored. For example:\n      \xe2\x80\xa2   The processes for establishing and confirming user identification on the MeF system did\n          not meet Federal Government standards for accrediting cryptographic modules.\n\n9\n    Reference Number 2009-20-026, dated December 30, 2008.\n                                                                                             Page 13\n\x0c                             Modernized e-File Will Enhance Processing of\n                            Electronically Filed Individual Tax Returns, but\n                         System Development and Security Need Improvement\n\n\n\n         This vulnerability was initially tracked in the Plan of Action and Milestones, but was\n         closed on December 3, 2007. On December 17, 2008, the IRS provided a management\n         response to our report that showed that this issue was closed. On September 15, 2009, an\n         Item Tracking Reporting and Control System risk was opened for this security\n         vulnerability. The MITS organization is currently taking actions to resolve this\n         vulnerability by March 15, 2010.\n         This vulnerability was not formally tracked by the IRS between the Plan of Action and\n         Milestones being closed in December 2007 and the Item Tracking Reporting and Control\n         System risk being opened in September 2009.\n     \xe2\x80\xa2   Two security vulnerabilities for audit trails were not adequately controlled to reach\n         resolution as part of Release 6.1 deployment:\n         o The MeF system and database have a number of audit log weaknesses, including\n           1) all required auditable events are not being captured, 2) no official has been\n           assigned to monitor and maintain system audit mechanisms, 3) no database audit\n           reduction tools were used, and 4) certain users that should have limited access have\n           full capabilities to access database records, including taxpayer information.\n         o An audit log review process was not in place, and logs were not being reviewed by\n           MeF system officials.\n         Both of these vulnerabilities were cancelled from the Plan of Action and Milestones on\n         August 1, 2009, and were added to the IRS Security Material Weakness. 10 Not all of the\n         details for the cancelled security vulnerabilities were included in the material weakness.\n         Additionally, based on the due dates of the material weakness, the security vulnerabilities\n         will not be completed until between June 2010 and April 2011. Therefore, the security\n         vulnerabilities may still exist for MeF Release 6.1 when it begins operating in\n         February 2010. Additionally, the audit trail issue has been included in several prior\n         TIGTA reports beginning in August 2004. 11\n\n\n\n10\n   The IRS established the Security Material Weakness in 1997. Since then, the IRS has aggressively strengthened\nits computer security capabilities. The original 1997 plan was rewritten in 2003, 2005, and again in 2008. An\nExecutive Steering Committee oversees the plan, ensuring that material weakness areas are addressed by all\nimpacted organizations, appropriate policy and procedures are implemented, and actions resolve the systemic cause\nof the material weakness.\n11\n   The Audit Trail System for Detecting Improper Activities on Modernized Systems Is Not Functioning (Reference\nNumber 2004-20-135, dated August 26, 2004), Security Controls Were Not Adequately Considered in the\nDevelopment and Integration Phases of Modernization Systems (Reference Number 2005-20-128, dated\nAugust 18, 2005), Improvements Are Needed to Ensure the Use of Modernization Applications Is Effectively Audited\n(Reference Number 2006-20-177, dated September 29, 2006), and The Internal Revenue Service Deployed Two of\nIts Most Important Modernized Systems With Known Security Vulnerabilities (Reference Number 2008-20-163,\ndated September 24, 2008).\n                                                                                                       Page 14\n\x0c                          Modernized e-File Will Enhance Processing of\n                         Electronically Filed Individual Tax Returns, but\n                      System Development and Security Need Improvement\n\n\n\n   \xe2\x80\xa2   After the maximum number of consecutive unsuccessful login attempts, the MeF system\n       did not enforce automatic account locks on user accounts for a minimum of\n       24 hours in accordance with IRS policies. The account lockout feature was set to\n       15 minutes.\n       This security vulnerability was closed by the Cybersecurity office as part of a Plan of\n       Action and Milestones item in April 2008. This vulnerability was subsequently reported\n       to the Submission Processing Executive Steering Committee as a security finding in\n       December 2009 (see Appendix V, Table 1 item 6 and Table 2 item 12). The vulnerability\n       was not identified for resolution for approximately 20 months, when it was reported as a\n       security finding. This security finding is currently open.\nSubsequently, the January 2010 Security Test and Evaluation reports show that only 2 of the\n13 security MeF system vulnerabilities were actually resolved. The Security Test and Evaluation\nalso identified two failed security controls that were not previously reported as system security\nweaknesses. The failed controls involved user access limitations and configuration of audit trail\nrecord storage capacity.\nWithout proper controls to monitor and resolve the MeF system security vulnerabilities and\nfindings, unauthorized access to taxpayer information would continue to be available and\npossibly go undetected. Consequently, the confidentiality, integrity, and availability of the\ntaxpayer records maintained by MeF could be impacted. Also, weak supervision and review of\nuser activities increases the opportunity for a user to perform undesirable actions that could go\nundetected by organization officials.\n\nControls were not adequately used to manage all security risks, issues, and\naction items affecting MeF Release 6 development\nThe MITS organization\xe2\x80\x99s Risk, Issue, and Action Item Management Directive establishes a\ncommon management process for addressing risks, issues, and action items across the MITS\norganization. A common management process promotes early identification and timely\nresolution of risks, issues, and action items when warranted. This Directive provides that:\n   \xe2\x80\xa2   All programs/projects shall inventory and document risks, issues, and action items.\n   \xe2\x80\xa2   All major and non-major projects, contractors, and stakeholders shall participate jointly\n       and cooperatively in a common management process for risks, issues, and action items.\n   \xe2\x80\xa2   All major and non-major projects shall record and maintain risk, issue, and action item\n       data in a single, central repository.\nAdditionally, the Risk, Issue, and Action Item Management Process Description includes\nguidance for documenting the identification, assignment, and closure of risks, issues, and action\nitems in a central repository.\n\n\n                                                                                           Page 15\n\x0c                               Modernized e-File Will Enhance Processing of\n                              Electronically Filed Individual Tax Returns, but\n                           System Development and Security Need Improvement\n\n\n\nThe MeF Project charter assigns the project manager responsibility for assessing risks, which\nincludes tracking risks until they are closed. Also, the MeF Project must adhere to the MITS\norganization\xe2\x80\x99s risk and issue management directive, process description, and procedures and use\nthe Item Tracking Reporting and Control system for documenting and controlling risks and\nissues.\nThe MeF Project Team identified 10 security findings during MeF Release 6.1 development.\nThese findings were controlled as one action item which required resolution to complete the\ndetailed design stage of the release. Subsequently, the MeF Project Team identified five\nadditional security findings during the release development activities. As of December 29, 2009:\n       \xe2\x80\xa2   One Item Tracking Reporting and Control System ticket was opened to track the\n           10 detailed design stage security findings. Of these 10 findings, 8 have been closed, 1 is\n           planned to be closed by March 2010, and 1 will be deferred for closure as part of MeF\n           Release 6.2 in January 2011. The resolution to this finding is dependent upon the ability\n           to successfully encrypt MeF information during data transmissions.\n       \xe2\x80\xa2   Four of the five development stage security findings are not being tracked in the Item\n           Tracking Reporting and Control System. Four have been closed and one is considered an\n           \xe2\x80\x9cinfrastructure\xe2\x80\x9d risk with resolution beyond the scope of the MeF system.\nThe MeF Project Team did not follow established MITS organization guidance for tracking of\nmodernization project risks. The security findings were not related and not controlled\nindividually in the Item Tracking Reporting and Control System. Absence of individual control\nof the findings may prevent management from obtaining the resolution status of the findings\nprior to the initiation of the release. If these risks are not resolved, the IRS may not be able to\nproperly secure tax return information received through the MeF system.\n\nThe ability to adequately control the identification and resolution of security\nvulnerabilities and findings continues to challenge the IRS\nTIGTA\xe2\x80\x99s report entitled Customer Account Data Engine Release 4 Includes Most Planned\nCapabilities and Security Requirements for Processing Individual Tax Account Information 12\nfound that improvement was needed in tracking vulnerabilities until resolution in the Plan of\nAction and Milestones list. Specifically, the IRS Cybersecurity organization does not monitor\nsystem owners\xe2\x80\x99 compliance with IRS policy to track all system vulnerabilities in the Plan of\nAction and Milestones lists. Further, it does not monitor system owners\xe2\x80\x99 compliance with IRS\npolicy to verify that weaknesses are corrected before reporting them as resolved on the Plan of\nAction and Milestones list.\nWe recommended that the Chief Technology Officer direct the Cybersecurity organization to\ntake actions that ensure the Customer Account Data Engine and mainframe computer system\n\n12\n     Reference Number 2009-20-100, dated August 28, 2009.\n                                                                                              Page 16\n\x0c                          Modernized e-File Will Enhance Processing of\n                         Electronically Filed Individual Tax Returns, but\n                      System Development and Security Need Improvement\n\n\n\nowners: 1) appropriately enter and track system vulnerabilities on control systems, including the\nPlan of Action and Milestones list and the Item Tracking Reporting and Control System, and\n2) verify corrective actions are fully implemented before they are reported as resolved.\nThe IRS agreed with our recommendation. The corrective action stated that the Cybersecurity\norganization will continue to improve the process to ensure that system owners comply with IRS\npolicy to enter and track all system vulnerabilities in IRS control systems. However, the lack of\ncontrol of the MeF system vulnerabilities are continued evidence that the IRS needs to be more\nproactive in ensuring that system vulnerabilities are properly entered and tracked.\n\nRecommendation\nRecommendation 4: The Chief Technology Officer should ensure that the Cybersecurity\norganization will complete implementation of the process to ensure that system owners comply\nwith IRS policy to enter and track all system security weaknesses in IRS control systems. This\nshould include all MeF system security issues and it should be ensured they are monitored and\ntracked to resolution in either the Plan of Action and Milestones or the Item Tracking Reporting\nand Control System.\n       Management\xe2\x80\x99s Response: The IRS agreed with our recommendation. The\n       Cybersecurity office responded that it has made continuous improvements to the Plan of\n       Action and Milestones process in recent years and considers the process complete and\n       implemented as of March 25, 2010.\n\n\n\n\n                                                                                         Page 17\n\x0c                                Modernized e-File Will Enhance Processing of\n                               Electronically Filed Individual Tax Returns, but\n                            System Development and Security Need Improvement\n\n\n\n                                                                                       Appendix I\n\n            Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the MeF Project Release 1 6.1\ndevelopment activities will provide the capability to electronically receive, process, and secure\nU.S. Individual Income Tax Returns (Form 1040), delivering the intended benefits to the IRS\nand taxpayers. This review was part of our Fiscal Year 2010 Annual Audit Plan for reviews of\nthe IRS Business Systems Modernization efforts.\nI.         Determined whether the MeF Project Release 6.1 development provides the planned\n           capabilities and benefits to the IRS and taxpayers.\nII.        Followed up on prior TIGTA report recommendations to determine whether the\n           corrective actions for improvements to the MeF Project were adequate to resolve the\n           issues regarding:\n           A. Implementation of controls to ensure only valid U.S. Income Tax Returns for an\n              S Corporation (Form 1120S) are accepted for processing.\n           B. The use of bi-directional traceability for Release 6.1 requirements.\nIII.       Determined whether MeF Project Release 6.1 includes adequate security controls and\n           whether all previously identified security vulnerabilities and findings have been resolved\n           to provide adequate security of taxpayer return information on the MeF system.\nIV.        Determined whether the MeF Project Releases 6.1, 6.2, and 7 funding and scope were\n           properly monitored and controlled.\n\nModernized e-File Release 6.1 Requirement Samples\nTables 1 and 2 present the MeF Release 6.1 populations and samples we used to analyze the\nadequacy of the bi-directional requirement traceability (Subobjective II. B.). Table 1 presents\nthe parameters of the sample we selected from the IRS customer requirements in the MeF\nRelease 6.1, Milestone 4b, Business System Requirements Report to verify the requirements that\nwere requested and approved for development were traced to system requirements.\nTable 2 presents the parameters of the sample we selected of system requirements from the\nSystem Integration and Test Plan, Appendix A \xe2\x80\x93 Integration, Test, and Deployment\nRequirements Traceability Verification Matrix to verify that system requirements were\nconsidered for testing. The system requirements are developed in support of the IRS customer\n\n1\n    See Appendix VI for a glossary of terms.\n                                                                                              Page 18\n\x0c                             Modernized e-File Will Enhance Processing of\n                            Electronically Filed Individual Tax Returns, but\n                         System Development and Security Need Improvement\n\n\n\nrequirements. Our samples included judgmentally selected requirements related to previously\nidentified risks as well as randomly selected requirements for review. These samples enabled us\nto obtain sufficient evidence to support our results.\n               Table 1: Sample Selection of MeF Release 6.1 Customer\n            Requirements From the Business System Requirements Report\n\n                                                                Sample Size From a Population of\n        MeF Release 6.1 Customer Requirements Category            361 Customer Requirements\n       Security                                                                 2\n       Peak Processing                                                          5\n       Authentication                                                           1\n       Electronic Fraud Detection System                                        4\n                  th\n       Every 36 Customer Requirement in the                                    10\n       Business System Requirements Report\n                                      Total Sample Size                        22\n\n       Source: Modernized e-File Release 6.1, Business System Requirements Report Final System\n       Development Phase (Milestone 4b), dated December 3, 2009.\n\nDetailed sample parameters:\n   \xe2\x80\xa2    Security \xe2\x80\x93 We selected 2 MeF Release 6.1 customer requirements related to the security\n        of the MeF system.\n   \xe2\x80\xa2    Peak Processing \xe2\x80\x93 We selected 5 MeF Release 6.1 customer requirements related to the\n        ability of the MeF system to support peak processing times.\n   \xe2\x80\xa2    Authentication \xe2\x80\x93 We selected 1 MeF Release 6.1 customer requirement related to\n        authentication of transmitters.\n   \xe2\x80\xa2    Electronic Fraud Detection System \xe2\x80\x93 We selected 4 MeF Release 6.1 customer\n        requirements related to the MeF system\xe2\x80\x99s interface with the Electronic Fraud Detection\n        System.\n   \xe2\x80\xa2    Every 36th Customer Requirement \xe2\x80\x93 We randomly selected an additional\n        10 MeF Release 6.1 customer requirements.\n\n\n\n\n                                                                                                   Page 19\n\x0c                            Modernized e-File Will Enhance Processing of\n                           Electronically Filed Individual Tax Returns, but\n                        System Development and Security Need Improvement\n\n\n\n\n                   Table 2: Sample Selection of MeF Release 6.1 System\n                  Requirements From the System Integration and Test Plan\n\n                                                                       Sample Size From a Population of\n            MeF Release 6.1 System Requirements Category                  250 System Requirements\n    Capacity                                                                           5\n    Audit                                                                              7\n    Strong Authentication                                                              2\n    Access Controls                                                                    5\n             rd\n    Every 23 System Requirement in the                                                10\n    System Integration and Test Plan\n                                               Total Sample Size                      29\n\n   Source: Modernized e-File Release 6.1, System Integration and Test Plan, Appendix A - Integration, Test,\n   and Deployment Requirements Traceability Verification Matrix, dated November 3, 2009.\n\nDetailed sample parameters:\n   \xe2\x80\xa2   Capacity \xe2\x80\x93 We selected 5 MeF Release 6.1 system requirements related to the capacity\n       of the infrastructure to support the MeF system.\n   \xe2\x80\xa2   Audit \xe2\x80\x93 We selected 7 MeF Release 6.1 system requirements related to the ability of the\n       infrastructure to produce audit records for the MeF system.\n   \xe2\x80\xa2   Strong Authentication \xe2\x80\x93 We selected 2 MeF Release 6.1 system requirements related to\n       the ability of the infrastructure to provide strong authentication of systems and users to\n       the MeF system.\n   \xe2\x80\xa2   Access Controls \xe2\x80\x93 We selected 5 MeF Release 6.1 system requirements related to the\n       ability of the infrastructure to provide access controls for the MeF system.\n   \xe2\x80\xa2   Every 23rd System Requirement \xe2\x80\x93 We randomly selected an additional\n       10 MeF Release 6.1 system requirements.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance.\n\n\n\n\n                                                                                                       Page 20\n\x0c                                Modernized e-File Will Enhance Processing of\n                               Electronically Filed Individual Tax Returns, but\n                            System Development and Security Need Improvement\n\n\n\nWe determined the MeF Project\xe2\x80\x99s application development and security provisions provided the\ninternal controls relevant to our audit objective. Specifically, this guidance includes the\nEnterprise Life Cycle,21 the Internal Revenue Manual, and National Institute of Standards and\nTechnology Special Publication 800-53, Recommended Security Controls for Federal\nInformation Systems and Organizations. We assessed the adequacy of MeF Project development\nactivities in relation to direction provided by this guidance. We also assessed the adequacy of\nMeF Project development and program plans by reviewing Business Systems Modernization\nprogram and project documentation and data provided by the IRS, the Business Systems\nModernization Expenditure Plans, and the Exhibit 300, Capital Asset Plan and Business Case,\nrequired by the Office of Management and Budget. We supported this work by interviewing\nApplications Development organization, Wage and Investment Division, and Cybersecurity\norganization personnel.\n\n\n\n\n2\n    See Appendix IV for an overview of the Enterprise Life Cycle.\n                                                                                       Page 21\n\x0c                         Modernized e-File Will Enhance Processing of\n                        Electronically Filed Individual Tax Returns, but\n                     System Development and Security Need Improvement\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services)\nScott A. Macfarlane, Director\nEdward A. Neuwirth, Audit Manager\nMark K. Carder, Senior Auditor\nBeverly K. Tamanaha, Senior Auditor\nLouis V. Zullo, Senior Auditor\n\n\n\n\n                                                                                     Page 22\n\x0c                       Modernized e-File Will Enhance Processing of\n                      Electronically Filed Individual Tax Returns, but\n                   System Development and Security Need Improvement\n\n\n\n                                                                        Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nCommissioner, Wage and Investment Division SE:W\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Enterprise Services OS:CTO:ES\nDirector, Procurement OS:A:P\nDirector, Stakeholder Management OS:CTO:SM\nDeputy Associate Chief Information Officer, Applications Development OS:CTO:AD\nDeputy Associate Chief Information Officer, Systems Integration OS:CTO:ES:SI\nDirector, Test, Assurance, and Documentation OS:CTO:AD:TAD\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Commissioner, Wage and Investment Division SE:W\n       Associate Chief Information Officer, Applications Development OS:CTO:AD\n       Director, Procurement OS:A:P\n       Director, Program Oversight OS:CTO:SM:PO\n\n\n\n\n                                                                                 Page 23\n\x0c                                Modernized e-File Will Enhance Processing of\n                               Electronically Filed Individual Tax Returns, but\n                            System Development and Security Need Improvement\n\n\n\n                                                                                     Appendix IV\n\n                          Enterprise Life Cycle Overview\n\nThe Enterprise Life Cycle 1 is the IRS\xe2\x80\x99 standard approach to business change and information\nsystems initiatives. It is a collection of program and project management best practices designed\nto manage business change in a successful and repeatable manner. The Enterprise Life Cycle\naddresses large and small projects developed internally and by contractors.\nThe Enterprise Life Cycle includes such requirements as:\n      \xe2\x80\xa2    Development of and conformance to an enterprise architecture.\n      \xe2\x80\xa2    Improving business processes prior to automation.\n      \xe2\x80\xa2    Use of prototyping and commercial software, where possible.\n      \xe2\x80\xa2    Obtaining early benefit by implementing solutions in multiple releases.\n      \xe2\x80\xa2    Financial justification, budgeting, and reporting of project status.\nIn addition, the Enterprise Life Cycle improves the IRS\xe2\x80\x99 ability to manage changes to the\nenterprise; estimate the cost of changes; and engineer, develop, and maintain systems effectively.\nFigure 1 provides an overview of the phases and milestones within the Enterprise Life Cycle. A\nphase is a broad segment of work encompassing activities of similar scope, nature, and detail and\nproviding a natural breakpoint in the life cycle. Each phase begins with a kickoff meeting and\nends with an executive management decision point (milestone) at which IRS executives make\n\xe2\x80\x9cgo/no-go\xe2\x80\x9d decisions for continuation of a project. Project funding decisions are often associated\nwith milestones.\n\n\n\n\n1\n    See Appendix VI for a glossary of terms.\n                                                                                          Page 24\n\x0c                              Modernized e-File Will Enhance Processing of\n                             Electronically Filed Individual Tax Returns, but\n                          System Development and Security Need Improvement\n\n\n\n                   Figure 1: Enterprise Life Cycle Phases and Milestones\n\n              Phase                             General Nature of Work                     Milestone\n Vision and Strategy/               High-level direction setting. This is the only\n Enterprise Architecture            phase for enterprise planning projects.                    0\n Phase\n Project Initiation Phase           Startup of development projects.                           1\n Domain Architecture Phase          Specification of the operating concept,\n                                                                                               2\n                                    requirements, and structure of the solution.\n Preliminary Design Phase           Preliminary design of all solution components.             3\n Detailed Design Phase              Detailed design of solution components.                   4A\n System Development Phase           Coding, integration, testing, and certification of\n                                                                                              4B\n                                    solutions.\n System Deployment Phase            Expanding availability of the solution to all target\n                                    users. This is usually the last phase for                  5\n                                    development projects.\n Operations and Maintenance         Ongoing management of operational systems.              System\n Phase                                                                                     Retirement\nSource: The Enterprise Life Cycle Guide.\n\n\n\n\n                                                                                               Page 25\n\x0c                             Modernized e-File Will Enhance Processing of\n                            Electronically Filed Individual Tax Returns, but\n                         System Development and Security Need Improvement\n\n\n\n                                                                                            Appendix V\n\n    Status of Resolution for Modernized e-File System\n      Security Vulnerabilities and Security Findings\n\nTable 1 presents the 13 MeF security vulnerabilities identified as part of the IRS Cybersecurity\norganization MeF Release 1 4 Security Risk Assessment, dated April 23, 2007. Included is the\nstatus of the vulnerabilities provided by the IRS in response to a prior TIGTA report 2 and the\nstatus of the vulnerabilities as reported by the January 2010 Security Test and Evaluation.\n                              Table 1: MeF Security Vulnerabilities\n\n                                                   Vulnerability Status\n                                                  Provided by the IRS on            Vulnerability Status\n             Security Vulnerability                 December 17, 2008               As of January 2010\n1     Unauthorized users had direct                        Resolved.                 Resolved June 2007.\n      access to the MeF system\n      management console, which\n      provided system administrative\n      functionalities such as the ability to\n      change security settings and web\n      services configurations. Any IRS\n      employee with access to the\n      Intranet could login to the console.\n2     Security configuration settings on                   Resolved.                     Unresolved.\n      the MeF system servers and\n      database were not sufficiently\n      restrictive.\n3     Information input restrictions for             Invalid and closed \xe2\x80\x93                Unresolved.\n      State Government electronic tax                      resolved.\n      filings were not in place on the\n      MeF system.\n\n\n\n1\n See Appendix VI for a glossary of terms.\n2\n The Internal Revenue Service Deployed the Modernized e-File System With Known Security Vulnerabilities\n(Reference Number 2009-20-026, dated December 30, 2008).\n                                                                                                     Page 26\n\x0c                        Modernized e-File Will Enhance Processing of\n                       Electronically Filed Individual Tax Returns, but\n                    System Development and Security Need Improvement\n\n\n\n                                            Vulnerability Status\n                                           Provided by the IRS on     Vulnerability Status\n          Security Vulnerability             December 17, 2008        As of January 2010\n4   The processes for establishing and           Resolved.                 Unresolved.\n    confirming user identification on\n    the MeF system did not meet\n    Federal Government standards for\n    accrediting cryptographic modules.\n5   Database users had more access               Resolved.                 Unresolved.\n    privileges than they needed to carry\n    out their responsibilities.\n6   After the maximum number of                 Unresolved.             IRS reported that\n    consecutive unsuccessful login                                        solutions were\n    attempts, the MeF system did not                                     implemented in\n    enforce automatic account locks on                              production in April 2008;\n    user accounts for a minimum of                                   however, this same issue\n    24 hours in accordance with IRS                                    is listed as Security\n    policies. The account lockout                                       Finding 12 and is\n    feature was set to 15 minutes.                                         reported as an\n                                                                    Infrastructure risk outside\n                                                                      the scope of the MeF\n                                                                            application.\n7   Several database user accounts had           Resolved.                 Unresolved.\n    multiple invalid password settings\n    that were not in accordance with\n    IRS policy.\n8   System users with limited access             Resolved.                 Unresolved.\n    needs were granted full access to\n    database records. Also, database\n    administrator privileges were\n    provided to nondatabase\n    administrative personnel.\n\n\n\n\n                                                                                     Page 27\n\x0c                             Modernized e-File Will Enhance Processing of\n                            Electronically Filed Individual Tax Returns, but\n                         System Development and Security Need Improvement\n\n\n\n                                                   Vulnerability Status\n                                                  Provided by the IRS on            Vulnerability Status\n             Security Vulnerability                 December 17, 2008               As of January 2010\n9     The MeF system and database have              Partially resolved, with             Unresolved.\n      a number of audit log weaknesses             the remaining actions to\n      including 1) all required auditable              be completed in\n      events are not being captured, 2) no            Fiscal Year 2009.\n      official has been assigned to\n      monitor and maintain system audit\n      mechanisms, 3) no database audit\n      reduction tools were used, and\n      4) certain users that should have\n      limited access have full capabilities\n      to access database records,\n      including taxpayer information.\n10    An audit log review process was             Target completion date is              Unresolved.\n      not in place, and logs were not              December 31, 2008 \xe2\x80\x93\n      being reviewed by MeF system                        resolved.\n      officials.\n11    An alternate processing site                         Resolved.               Resolved January 2008.\n      agreement had not been established\n      for the MeF system.\n12    Business object reports containing             Invalid and closed \xe2\x80\x93                Unresolved.\n      personally identifiable information                  resolved.\n      were transmitted in clear text.\n\n\n13    System and database administrators             Unresolved \xe2\x80\x93 To be                  Unresolved.\n      used insecure methods to transmit              resolved when MeF\n      MeF system data within the IRS.               Release 5.5 deploys in\n                                                        January 2009.\nSource: Prior TIGTA report entitled The Internal Revenue Service Deployed the Modernized e-File System With\nKnown Security Vulnerabilities (Reference Number 2009-20-026, dated December 30, 2008) and the\nJanuary 2010 Security Test and Evaluation.\n\n\n\n\n                                                                                                     Page 28\n\x0c                              Modernized e-File Will Enhance Processing of\n                             Electronically Filed Individual Tax Returns, but\n                          System Development and Security Need Improvement\n\n\n\n    Table 2 presents 15 MeF system development security findings. The MeF Release 6 Project\n    Team identified 10 security findings on December 8, 2008, during the detailed design stage of\n    the release. Subsequently, the Project Team identified five additional security findings during\n    the release development activities.\n                                  Table 2: MeF Security Findings\n                                                                         IRS Reported Status As of\n                      Security Finding Description                          December 29, 2009\n1        User names and passwords are being transmitted in                  Resolved June 2009.\n         clear text.\n2        Passwords are being generated by MeF on behalf of                Resolved December 2009.\n         users. Passwords violate password complexity\n         requirements.\n3        Database credentials could be exposed to systems or              Resolved December 2009.\n         network administrators.\n\n4        Oracle auditing feature is not enabled in production             Resolved December 2009.\n         and should be compliant for MeF Release 6.1.\n\n5        The system fails to protect the integrity of transmitted          Resolved January 2009.\n         data. Encryption is needed to support external\n         sensitive but unclassified/personally identifiable\n         information data transfers.\n6        Insecure protocols, File Transfer Protocol, and                   Resolved January 2009.\n         Network File System are being used.\n\n7        MeF Release 6 interface to Enterprise Application            Proposed resolution scheduled for\n         Integration Broker/National Account Profile is a new            Release 6.2 implementation\n         web service. Ensure new roles, data transfers, error                  January 2011.\n         handling, and provisioning of credentials are\n         implemented securely.\n8        The Disaster Recovery strategy for MeF Release 6.1 is           Resolved November 2009.\n         not defined. An Enterprise Disaster Recovery Strategy\n         is needed to properly address all components needed to\n         address a recovery configuration for MeF Release 6.1.\n\n\n\n\n                                                                                              Page 29\n\x0c                                   Modernized e-File Will Enhance Processing of\n                                  Electronically Filed Individual Tax Returns, but\n                               System Development and Security Need Improvement\n\n\n\n                                                                                    IRS Reported Status As of\n                          Security Finding Description                                 December 29, 2009\n    9       Business Objects used for statistical reporting. 1) Some                Resolved December 2009.\n            reports are not adequately protected and marked\n            \xe2\x80\x9cSensitive But Unclassified\xe2\x80\x9d; 2) Auditing of business\n            objects reports with \xe2\x80\x9cSensitive But Unclassified\xe2\x80\x9d\n            information is inadequate.\n    10      Gateway throughput of database not sufficient for peak             Proposed Resolution scheduled for\n            loads for MeF Release 6.1.                                            implementation March 2010.\n\n    11      Use of open source iText code presents a potential                       Resolved January 2010.\n            security risk.\n    12      After 3 unsuccessful attempts, the MeF system Web                  The infrastructure risk is outside the\n            application and Web services automatically lockout the              scope of the MeF application. The\n            offending user accounts for only 15 minutes. The                   proposed resolution is being tracked\n            project office is currently verifying the 15 minutes and             as a general support system issue.\n            will confirm when confirmation is received.\n    13      Legacy Tax Return Data Base records for both                            Resolved December 2009.\n            U.S. Individual Income Tax Return (Form 1040) and\n            Application for Automatic Extension of Time To File\n            U.S. Individual Income Tax Return (Form 4868)\n            contain National Account Profile data. Form 1040\n            records contain bank routing information which could\n            be used for fraud by a corrupt administrator or inside\n            attacker.\n    14      Application to application client application users and                 Resolved December 2009.\n            machine operators who send messages to the MeF\n            system Web services cannot be individually identified,\n            authenticated, and tracked by the MeF Release 6.1\n            system. Lack of individual accountability can\n            encourage attackers to take advantage of the situation.\n    15      MeF Security Audit and Analysis System logs are not                     Resolved December 2009.\n            populated with two required fields. The two fields that\n            were missing were the Error Code and Return\n            Message.\nSource: The IRS Submission Processing Executive Steering Committee presentations.\n\n\n\n                                                                                                         Page 30\n\x0c                             Modernized e-File Will Enhance Processing of\n                            Electronically Filed Individual Tax Returns, but\n                         System Development and Security Need Improvement\n\n\n\n                                                                                 Appendix VI\n\n                                Glossary of Terms\n\n              Term                                          Definition\nAction Item                     A short-duration, minimal resources activity assigned to a member\n                                or stakeholder in the program/project or organization within the\n                                MITS organization. An action item must be within the scope of\n                                the duties currently assigned to that person.\nBusiness Objects                Objects in an object-oriented computer program that represent the\n                                entities in the business domain that the program is designed to\n                                support. For example, an order entry program might have\n                                business objects to represent each order, line items, and invoices.\nBusiness Rule                   A statement that defines or constrains some aspect of the business.\nBusiness Systems                A complex effort that began in Calendar Year 1999 to modernize\nModernization                   IRS technology and related business processes.\nCapital Asset Plan and          Also known as Exhibit 300, it is used as a one-stop document for a\nBusiness Case                   myriad of information technology management issues such as\n                                business cases for investments, agency modernization efforts, and\n                                overall project management. The Office of Management and\n                                Budget requires each agency to submit an Exhibit 300 twice each\n                                year for each major information technology investment.\nCustomer Account Data           Consists of databases and related applications that will replace the\nEngine                          IRS official repository of taxpayer information (the Master File)\n                                and provide the foundation for managing taxpayer accounts to\n                                achieve the IRS modernization vision.\nDatabase Credentials            Requirements for securely storing and retrieving database\n                                usernames and passwords for use by a program that will access a\n                                database.\nElectronic Fraud Detection      The primary information system used to support the IRS Criminal\nSystem                          Investigation Division\xe2\x80\x99s Questionable Refund Program, which is a\n                                nationwide program established in January 1997 to detect and stop\n                                fraudulent and fictitious claims for refunds on income tax returns.\nEmployee User Portal            A web-hosting infrastructure that supports an Intranet portal that\n                                allows IRS employees to access business applications and data.\n\n                                                                                           Page 31\n\x0c                             Modernized e-File Will Enhance Processing of\n                            Electronically Filed Individual Tax Returns, but\n                         System Development and Security Need Improvement\n\n\n\n              Term                                           Definition\nEnterprise Application          A commercial off-the-shelf solution that will be used to enable the\nIntegration Broker              communication and data transformations between components of\n                                the Account Management Services system, the current processing\n                                environment, and the Customer Account Data Engine.\nEnterprise Life Cycle           A structured business systems development method that requires\n                                the preparation of specific work products during different phases\n                                of the development process.\nFile Transfer Protocol          A standard set of rules used to exchange and manipulate files over\n                                a network, such as the Internet.\nGovernance                      An IRS designed enterprise governance model that assigns all\n                                information technology projects to an appropriate executive\n                                oversight body.\nInfrastructure                  The fundamental structure of a system or organization. The basic,\n                                fundamental architecture of any system (electronic, mechanical,\n                                social, political, etc.) determines how it functions and how flexible\n                                it is to meet future requirements.\nIssue                           A situation or condition that either 1) currently has negative\n                                consequences for an Information Technology program/project or\n                                organization or 2) has 100 percent probability of having negative\n                                consequences for the program/project or organization.\nItem Tracking Reporting and     An information system used to track and report on issues, risks,\nControl System                  and action items in the modernization effort.\niText                           A library to create, read, or manipulate documents in the Portable\n                                Document Format. iText can export the same document to\n                                multiple formats or multiple instances of the same format.\nMaster File                     The IRS database that stores various types of taxpayer account\n                                information. This database includes individual, business, and\n                                employee plans and exempt organizations data.\nMilestone                       Milestones provide for \xe2\x80\x9cgo/no-go\xe2\x80\x9d decision points in a project and\n                                are sometimes associated with funding approval to proceed.\n\n\n\n\n                                                                                           Page 32\n\x0c                              Modernized e-File Will Enhance Processing of\n                             Electronically Filed Individual Tax Returns, but\n                          System Development and Security Need Improvement\n\n\n\n             Term                                             Definition\nMITS Enterprise Governance        The highest level recommending and decision-making body to\nCommittee                         oversee and enhance enterprise management of information\n                                  systems and technology. It ensures strategic modernization and\n                                  information technology program investments, goals, and activities\n                                  are aligned with and support 1) the business needs across the\n                                  enterprise and 2) the modernized vision of the IRS.\nNational Account Profile          A compilation of selected entity data from various Master Files. It\n                                  includes all valid and invalid individual taxpayer entity\n                                  information for all taxpayers on the Individual Master File,\n                                  Business Master File, and Employee Plans Master File Processing.\nNational Institute of Standards   An agency under the Department of Commerce responsible for\nand Technology                    developing standards and guidelines, including minimum\n                                  requirements, for providing adequate information security for all\n                                  Federal Government agency operations and assets.\nPersonally Identifiable           Information that can potentially be used to uniquely identify,\nInformation                       contact, or locate a single person.\nPortable Document Format          A fixed-layout document format used for representing\n                                  two-dimensional documents in a manner independent of the\n                                  application software, hardware, and operating system.\nRelease                           A specific edition of software.\nRequirement                       A formalization of a need and the statement of a capability or\n                                  condition that a system, subsystem, or system component must\n                                  have or meet to satisfy a contract, standard, or specification.\nRisk                              A potential event that could have an unwanted impact on the cost,\n                                  schedule, business, or technical performance of an Information\n                                  Technology program/project or organization.\nSecurity Test and Evaluation      A testing process that determines the extent to which the controls\n                                  are implemented correctly, operating as intended, and producing\n                                  the desired outcome with respect to meeting the security\n                                  requirements for the system.\nTask Order                        An order for services planned against an established contract.\nWork Breakdown Structure          A deliverable-oriented grouping of project elements that organizes\n                                  and defines the total scope of a project. A project schedule used to\n                                  manage the tasks, task relationships, and resources needed to meet\n                                  project goals.\n\n                                                                                            Page 33\n\x0c           Modernized e-File Will Enhance Processing of\n          Electronically Filed Individual Tax Returns, but\n       System Development and Security Need Improvement\n\n\n\n                                                  Appendix VII\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 34\n\x0c    Modernized e-File Will Enhance Processing of\n   Electronically Filed Individual Tax Returns, but\nSystem Development and Security Need Improvement\n\n\n\n\n                                                  Page 35\n\x0c    Modernized e-File Will Enhance Processing of\n   Electronically Filed Individual Tax Returns, but\nSystem Development and Security Need Improvement\n\n\n\n\n                                                  Page 36\n\x0c'